Port collision technology makes open ports more secure

All ports opened on firewalls and routers are a security risk. This is also the value of port knocking. Port collision technology is a technology that allows access to firewall services with pre-configured "Collision. The so-called collision is composed of a sequence of attempts to access the system to close the port. These attempts are either recorded in a log or saved in a background process. By configuring this log or process in advance, you can monitor the sequence of opened ports, if the attempt sequence matches the preset sequence, you can open a port.
In this way, a port can be opened only when needed, thus having certain technical advantages. It is difficult for hackers to remotely exploit services related to closed ports to attack the system. For example, for remote management, it is convenient to open the SSH service on a public server, but this also allows the system to allow anyone to try to access the system. Of course, you can specify an IP address range for access to this port. However, this still brings security and access challenges. The port collision technology enables you to handle both of these two aspects well: This port is closed most of the time, but you know that this method can be opened anywhere at any time.

Overview

Some services that everyone is familiar with have certain security issues. Therefore, most of the security damages are achieved by using these security issues on the Internet. FTP and SSH use ports that everyone is familiar with. Therefore, these services have been attacked by various methods for a long time. In most cases, these services are used by internal users. Therefore, internal users are the main candidates for using port collision technology.

Obviously, port collision technology is not suitable for public access services, such as HTTP and SMTP services. Because Web Services and email services need to allow connections from anywhere. However, for all other services, the best practice is to disable all non-essential ports. Therefore, from the perspective of security issues, a very useful service such as SSH often needs to be closed.

This is a useful part of the port collision technology. First, the detection technology will not find such a server based on the port collision technology configuration. The firewall software will automatically reject all port scans or any direct connection attempts. In addition, you can select a series of non-consecutive port numbers to implement port collision (we will introduce it later), which can alleviate security concerns, because a standard port scanner is generally unlikely to obtain a correct collision sequence. By using this method, you can achieve good security and remote access.

You may ask yourself, why do I need this method? In fact, you may not use this technology. This technology only increases the security of the current network and creates an imperceptible security layer between potential hackers and the services to be protected. If the remote user does not know that the server is listening for a specific port, you will greatly reduce the number of times the system is compromised through this port. Furthermore, remote users are unlikely to determine whether the server uses the port collision technology, and therefore are unlikely to use brute force attempts to guess the correct sequence.

Port collision details

You can use different methods to configure port collisions. You can use a static port sequence to implement authorized access. For example, the server can set this to enable TCP port 22 after it receives connection attempts with ports 2033, 3022, 6712, and 4998 in sequence. If the server receives an incorrect sequence, shut down the port or use a timer to close the port. After the background process that monitors the firewall logs intercepts these rejected attempts, a new firewall rule is added to the firewall to open the necessary ports and authorize users to access the ports.


You can also use dynamic configuration technology to open a port. First, you need to create a port set. In this example, we will use port 1040 to port 1049. By providing a Starting sequence, such as 1042, 1044, and 1043, you may also need to provide the server with the corresponding receiving information for the port you want to open. After the sequence 1042, 1044, and 1043, you need to let the server know that you want it to open port 443. This design is used to increase the flexibility and options required to open ports on different servers without static configuration.

Encrypted communication may also increase the level of security. If you are worried about someone sniffing your data packets or someone stealing your collision sequence, this encryption method will be very helpful. For port collision, using encryption technology is the safest method, and we will see in subsequent articles that encryption technology is a frequently used method in prototype.

Use knockclient and knockdaemon

Portknocking.org has implemented port collision technology using the Perl language and can now download this tool from the company's website. The file portknocking-0.1.tgz contains the knockclient and knockdaemon programs. This version allows remote users to open ports 0 to 255 and automatically use Crypt: Blowfish to perform encryption. You only need to use the necessary Command Options on the remote system to call the knockclient program. For example, to open port 22 on a specific IP address on a remote system, you can run the following command: knockclient-client 192.168.0.1-remote 10.1.42.1-port 22-time 0.

In this example, we want to open port 22 on the server with the IP address 10.1.42.1, and only allow one connection between the host with the IP address 192.168.0.1d. Because the-time ID is 0, there is no limit on the opening time of the port we want to open. If the time is 255, the command is to close this port. Other time values from 1 to 254 indicate the port opening time (in minutes ). The Shared Password between the knockclient and knockdaemon is used to encrypt the collision sequence, and the information between the remote host and the local host can only be understood by themselves. In addition, the remote host port 745 must be used to port 1000. After the server port is opened, You need to disable these ports on the remote host and enable the firewall log. The background process listens to the eight collisions of these ports by default. Perl mode file: Tail is used to detect new row information added to the firewall log, and knockdaemon will analyze the row information.

Although this is just a prototype, it runs well. Obviously, the core of the port collision technology is whether a port can be opened in the collision sequence initiated by a remote host. Writing such a program or adding it to the current available resources is not difficult, and can easily implement customization of various systems. For example, if you access a NATIP address, you can configure a policy based on the collision sequence to dynamically forward SSH access to the internal host. In addition, based on your configuration, port collision technology can also be used to back up or run other jobs.

Summary

Port collision technology is very beneficial for adding an invisible layer of authentication. Only users with the correct port number can have one chance to obtain available services such as SSH. This allows the server to accept connections from any IP address, such as a mobile or dynamic IP address, you can also create a certain level of trust-this trust is based on the remote system to know the correct collision sequence. For those servers that have achieved better security, port collision technology is the best supplement.